Embedded software has moved at a pace dictated by careful engineering and long development cycles. That world is gone. AI has accelerated everything, and embedded teams now generate and ship code at speeds that would have been unimaginable a decade ago. The remarkable part is not just how fast AI arrived in critical systems, but how quickly it has become an essential part of development for the software at the heart of critical infrastructure.ย
RunSafeย Securityโsย 2025 AI in Embedded Systems Reportย found that 83.5% of organizations have already deployed AI-generated code into production. That includes medical devices, industrial control systems, vehicles, and energy systems. AI is now helping to run the machines that keep society functioning.ย
The Change Inside Embedded Teamsย
If you talk to embedded engineers,ย theyโllย tell you a similar story. Someone on the team tried an AI tool because they wereย behind onย test coverage. Someone else used it to speed up documentation. Before long, AI became part of the development workflow.ย
The survey confirms it, as 80.5% of teams already use AI in development, and almost nobody plans to avoid it. AI is writing code paths that interact with sensors, hardware timers, and control loops. It is drafting logic that influences physical behavior in the real world.ย
The adoption happened quickly, and so, naturally, there is a lag in understanding what thisย means for security.ย
When Confidence and Riskย Donโtย Matchย
When asked whether they could detect vulnerabilities in AI-generated code, 96% of teams said they felt confident. On its own, that might sound reassuring. But in the same survey, 73% said AI-generated code poses a moderate or high cybersecurity risk.ย
And one in three organizations experienced a cyber incident involving embedded software within the past year.ย
The contradictionย indicatesย that teams trust the toolsย theyโveย used for years, such as static analysis, code reviews, and manual testing. But those tools were built for human-written code, written at human speed. AIย doesnโtย follow the same rules, and neitherย doย the vulnerabilities it introduces.ย
Confidence in familiar tools isย not the same asย readiness for unfamiliar risks.ย
A Different Kind of Code Requires a Different Kind of Securityย
One thing AI has changed is the shape of the code itself. AI rarely writes code the same way twice, which erodes one of the hidden pillars of embedded security, which is predictability. Threat models lose clarity. Vulnerabilities find their way into software not because teams are careless, but because the patterns they rely on no longer exist.ย
The report highlights this shift in another way. Security is theย number-oneย concern with AI-generated code, cited by 53% of respondents. That worryย emergesย not from one catastrophic failure but from dozens of small inconsistencies. In embedded systems, small inconsistencies accumulate into big consequences.ย
If you want to understand the urgency,ย memory safetyย is one example. Buffer overflows and use-after-free errors have been around in embedded systems for decades. If AI models are trained on C/C++ codebases with vulnerabilities, new code generated has the potential to amplify old mistakes. With only 49% of organizations using memory-safe languages, the industryย remainsย anchored to the same challenges that keep memory safety flaws as recurring vulnerabilities.ย
Why Embedded Teams Are Looking to Runtime Securityย
When you look closely at how organizations are responding, a themeย emerges. 60% of teams now rely on runtime protections for memoryย safety, andย runtime exploit mitigationย is one of the top three security priorities. The shift reflects a hard-earned lesson that you cannot test your way out of unknown vulnerabilities when the code volume and variability explode.ย
Embedded systems used to depend on getting things right before deployment. Nowย the realityย is different. These devices must remain safe even when a vulnerability is present in software.ย
AI is forcing security to adopt the perspective ofย designing forย resilience rather than perfection.ย WIthย runtime protections in place, organizations can rest assured that certain vulnerabilities are mitigated even before patches become available.ย
A Security Model That Matches the Momentย
Embedded systems are entering a phase where the amount of code, the sources of code, and the nature of code are all changing faster than traditional security practices can adapt. AIโs impact is that teams ship more software, and more unpredictable software.ย
This does not have to beย causeย forย alarm if teams take note of the risk, assume imperfections, and design for resilience. In fact, the report found that organizations are preparing to significantly increase their investment in embedded software security in the next two years, with 93.5% planning to increase investment and more than one-third expecting significant growth.ย
Respondents cited code analysis automation, AI-assisted threat modeling, runtime exploit mitigation, and more secure coding training as what they view as the most helpful cybersecurity improvements for embedded software development.ย
AI is writing the code that runs our critical systems. The question is whether our security frameworks can evolve quickly enough to match the reality we now live in.ย
About Joseph M. Saundersย
Joe Saunders is Founder & CEO ofย RunSafeย Security. He leads a team of former national security cyber experts on a mission to make critical infrastructure safe. Working with companies such as Lockheed Martin, GEย Vernova, and Vertiv as well as the US Army, US Navy, US Air Force, and dozens of other organizations,ย RunSafeย Securityย identifiesย risk in your software supply chain, prevents exploitation of embedded systems, and monitors software for indicators of compromise and bugs.ย ย ย
Joe is alsoย Chairmanย of Ask Sage, a cloud agnostic and large language model agnostic platform that is transforming how government and businessย operate. He previously served as a management consultant for PricewaterhouseCoopers, a director at Thomson Reuters Special Services, andย memberย of the management team ofย TARGUSinfoย (sold Neustar for $800M).ย
Joe isย a frequentlyย sought-after speaker and panelist and isย regularly askedย to author articles on cybersecurity, artificial intelligence, and geopolitics. He is particularly interested in the implications of technology competition, economic coercion, and international security on the transformation ofย the internationalย world order. He is the founder ofย Internationalย Resilience Institute, a 501(c) 3 non-profit which is building the Global Resilience Index to quantify power and coercion among nation states.ย
